The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don't have the same unfettered system privileges granted to root, the ones they do have are plenty powerful. Such an exploit can, for instance, read and steal all the user's most personal data, including documents, pictures, e-mail, and chat transcripts. It could also steal the user's browser cookies and sessions for Gmail, Facebook, Twitter, and other sites. It could additionally persist across reboots, although not as stealthily as a root exploit. And as is growing increasingly common, it could be combined with a local root privilege exploit to gain full system rights. Here's a video of it in action: